Now that Mastercard and Visa have announced activation dates for EMV 3-D Secure (aka, "3-D Secure 2.0"), it’s time for card issuers and issuing processors to ensure all the groundwork has been laid to take full advantage of the changes the updated standard will bring. At RSA, we’re doing our part by working to educate card issuers and processors on how to be prepared, as well as collaborating with industry partners to test transaction flows ahead of activation. If you’re an issuer, you should have been notified recently with the updated activation dates. Your part means being ready with the technology and processes to accommodate the changes that are in store—especially the shift in fraud liability from merchants to issuers.
The Challenge: Card-Not-Present Fraud Growing—and Liability Shifting
One of the major differences between the first release of the 3-D Secure specification and the 2.0 version is that 3-D Secure 2.0 supports additional channels for card-not-present (CNP) transactions, including in-app and digital wallet payments. As we know, mobile transactions have grown dramatically over the last decade, and now account for nearly half of all CNP transactions. We’ve seen other channels expanding as well, such as smart devices and the growth of Internet of Things (IoT). As 3-D Secure 2.0 expands into these channels, it brings with it the ability for issuers to assess risk for their cardholders outside of traditional browser-based transactions, but also introduces more fraud liability.
An October 2018 report from the U.S. Federal Reserve Bank confirms that CNP fraud rates have been growing alongside these transactions; it specifically shows an increase of more than $1 billion over just one year, from $3.4 billion to nearly $4.6 billion. Until now, it’s been merchants rather than card issuers that have been liable for those losses. That changes with 3-D Secure 2.0, which adds liability for non-browser transaction fraud to issuers.
The Opportunity: Using Robust, Risk-Based Authentication for Fraud Prevention
Fortunately for issuers, the shift in liability for fraud in 3-D Secure 2.0 is accompanied by the ability to put more robust authentication in place to prevent fraud in the first place. 3-D Secure 2.0 specifically supports token-based and biometric authentication and removes static data elements (such as passwords), making it more difficult for fraudsters to compromise credentials. It also enables risk-based authentication (RBA) decisions, so that the decision to authenticate the cardholder can be made based on how much risk a transaction presents (based on policies set by the card issuer). Smart RBA means good consumers seldom need to be authenticated. The result is more robust fraud prevention for issuers and, at the same time, convenient, frictionless payments for consumers.
Other Considerations for Issuers
In addition to being prepared with authentication capabilities that are appropriate to the challenge and opportunity of 3-D Secure 2.0, issuers need to ensure they have a clear migration path for the transition, as detailed in 3-D Secure 2.0: Key Considerations for Card Issuers, a guide prepared for RSA by the global research and advisory firm Aite Group. The guide discusses migration paths for different types of issuers—from those not enabled for 3-D Secure at all, to those who are on a non-risk-based version of 3-D Secure 1.0, to those who are on a risk-based version of the protocol. It also includes practical recommendations for migration planning.
The Role of RSA: Making Sure We’re Ready—and You Are, Too
Based on EMV 3-D Secure (3DS) 2.0 technology, Mastercard Identity Check launched earlier this year and since then has been successfully tested with merchants and banks across the globe. In preparation for 3-D Secure 2.0, RSA and Mastercard are working with a large UK bank and large global retailer and have successfully processed one of the UK’s first end-to-end 3-D Secure 2.0 transaction tests. This successful test is an extremely positive step in the current phase for the new protocol, and we’re looking forward to continuing to test transaction flows ahead of activation. In addition, we’re providing guidance to issuers on how to prepare for 3-D Secure 2.0 by implementing appropriate processes and technology, such as through our work with Mastercard Payment Transaction Services.
# # #
For more detailed information about recommended measures to take, along with FAQs and other guidance, refer to the RSA white paper From Status Quo to 2.0.
Learn more about the Mastercard Identity Check roadmap and key 3-D Secure 2.0 compliance dates here.
How much could you be saving in CNP fraud losses? Find out in less than 60 seconds.
Author: Michael O'Connor
Category: RSA Fundamentals, Blog Post, Securing the Digital World
Keywords: 3-D Secure, 3-D Secure 2.0, Card Not Present Fraud, CNP, EMV, Fraud, Fraud Detection, Fraud Prevention, Fraud Management